Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Firefox 33 Fixes Flaws, Improves Content Security Policy

Mozilla's new open-source browser release includes patches for eight security advisories. Three are rated critical.

Mozilla came out Oct. 14 with its new Firefox 33 Web browser, providing users with incremental feature updates and patches for eight different security advisories. Firefox 33 follows Mozilla's Firefox 32 release in September, which included fixes for six security advisories.

Firefox 33 includes three security advisories that Mozilla rated critical. MFSA 2014-74 is identified by Mozilla as "miscellaneous memory safety hazards" and is associated with the CVE-2014-1574 and CVE-2014-1575 vulnerabilities.

The other critical security advisory is MFSA 2014-79, which details a use-after-free memory flaw, identified as CVE-2014-1581, that a security researcher working with Hewlett-Packard's TippingPoint Zero-Day Initiative reported.

Firefox 33 isn't just about patches; it also improves existing security features. Among the features being introduced is a new Content Security Policy (CSP) back-end. Sid Stamm, principal security and privacy engineer at Mozilla, told eWEEK that the new CSP back-end is a more efficient implementation of the CSP feature called Content Security Policy (CSP) that was first introduced in Firefox 4 back in March 2011.

The basic idea behind CSP is to help limit the risk of cross-site scripting (XSS) attacks by enabling sites to declare where content can be loaded from.

"While this new back-end doesn't add new Web protections, it strengthens some already in Firefox," Stamm said. "This is just one step in our efforts to make Firefox security tools fast and effective."

Looking beyond just security fixes, Firefox has been working on a feature called Enhanced Tiles that was in the beta version of Firefox 33. Enhanced Tiles brings users links from Mozilla partners, on a user's new tab page. While the Enhanced Tiles feature was in Firefox 33 Beta, it is not in the final stable release.

"Enhanced Tiles are turned on in Nightly, Aurora and Beta and will be in general release soon," Denelle Dixon-Thayer, senior vice president of business and legal affairs at Mozilla, told eWEEK. "We are working with foundational partners but do not currently have any paid advertising in the builds."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.